GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-25 05:44:06 -06:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
5c974b1fa6
quartz/content/notes/04-authentication-authorisation-passwords.md
Jet Hughes 3927e328f6 vault backup: 2022-07-29 13:55:49
2022-07-29 13:55:49 +12:00

64 lines
2.1 KiB
Markdown
Raw Blame History

---
title: "04-authentication-authorisation-passwords"
aliases:
tags:
- lecture
- comp210
---
# Authentication
- proof of identity
- need to be sure a user is who they say they are before you can trust them
- usually done via a unique identifier
- unique username
- and a secret that is only known by the authorised user
- password
- biometrics
- 2fa code
## MFA
- many secrets
- protects user/system in the case that a password is disclosed
- additional secrets generated at the time of use.
- short lived
- if found - attackers have a small windoe to exploit
- e.g.,
- sms message
- authenticator app
# Authorisation
- verifying that a user is allowed to access the operation that they are attempting to access
- requires explicit check in the system for restricted operatons
- some code that check if the roles assigned to the authenticaed user intersect the roles required for the current operation
- use is assigned a **role** that defines the operations they are allowed to perform
- e.g.
- custoemer - can view products, and see retail prices
- sales rep - can view products and see retail and cost prices
- manager - can add/delete/modify products
- admin - can change system configuration. can assign roles to users
# Authentication and Authorisation
- one is useless without the other
- many security vulnerabilities are caused by inexperienced/incompetent programmer creating systems that only have one or the other
- authenticaion without authorisation can lead to *path traversal* flaws
- changing the url path to find admin sites
- authorisation without authenticaion is the equivalent of blindly trusting your users.
# Passwords
- not good
- lots of bad advice
- we are lazy
- "safe" passwords are difficult to enter on touch screen devies
- to many accouts
## entropy
- amount of randomness
- measure of the number of guesse an attacker would need to brute force
- $E = log_2(A^L)$
- A = size of alphabet
- L = length of password
- E = entropy in bits
- 80 bits is "safe"
- would take decades
- 6 digits passoword - 29 bits (took 4 seconds to brute force)
- + uppercase and numbers - 36 bits
Reference in New Issue View Git Blame Copy Permalink